RealTime IT News

Oracle Issues 43 Patches, Nails Database Exploits

Oracle Patches
Oracle today aimed to plug dozens of vulnerabilities in its latest quarterly bundle of patches, with fixes for its BEA product suite and its flagship database as some of the most significant.

In all, the company's Critical Patch Update (CPU) patched 43 vulnerabilities. Four vulnerabilities rate an 8.5 or higher according to the industry Common Vulnerability Scoring System (CVSS) scale Oracle uses, which rates flaws from zero to ten to indicate growing risk.

Thirteen more vulnerabilities are also important because they can be exploited without authentication, but rank low on the CVSS scale because the potential damage is limited, Oracle said.

How dangerous the vulnerabilities may have been is unclear, however, since Oracle typically avoids releasing "detailed information about an exploit condition or results that can be used to conduct a successful exploit," it said in the CPU.

Oracle did urge its users to apply the patches, though, noting in the CPU that "due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible."

Some of the vulnerabilities fixed today shouldn't come as much of surprise, said Amichai Shulman, CTO of security firm Imperva and leader of its research unit, the Imperva Application Defense Center.

"We are more likely to find vulnerabilities in Web products than in databases because while a database rarely offers an interface that does not require some sort of authentication, in Web application servers, most functionality is available even without authentication."

Database dangers

In that context, the 16 vulnerabilities listed for the Oracle Database product are a more significant finding.

The top vulnerability, CVE-2009-0979, ranked a 9.0 for severity. While it only affects users of version 9 of the product -- users of versions 10 and 11, who should by now be in the majority, are safe -- it remains potentially dangerous: The flaw could allow for a complete takeover of the database, Oracle said.

That's one of the few instances in today's CPU where a vulnerability could result in a fully compromised system. According to Oracle's labeling methodology, most of the latest CPU's patches only for "partial+" system compromise, rather than "Complete" access, so the vulnerability stands as one of the most dangerous fixed in the update.

Although Oracle provided scant details on the vulnerability, Shulman guessed that it might be an SQL injection issue.

He added that several other lower-ranking vulnerabilities, which came in at 5.5 and 6.5, should still be taken very seriously because they affect versions 10 and 11 of the software and because the potential damage is high.

"They require a set of valid credentials," Shulman said. "But access complexity is very low and the effect, Partial+, is almost complete takeover."

He also said that two other vulnerabilities, ranked 5.0, might allow a Denial of Service attack on Oracle Database, based on the fact that Oracle's CPU indicated they require no authentication and could only impact availability -- not lead to compromised data. That's also not certain, however, considering the relatively scarcity of data Oracle disclosed on the flaws.

Beyond Oracle's flagship database, other products also faced significant vulnerabilities: The CPU disclosed three vulnerabilities to BEA JRockit and WebLogic Server, ranked 10, 10, and 8.5, which also allow for complete takeover.

Shulman said that Oracle's vulnerability disclosure has improved over time. The vulnerabilities are ranked by severity and each has a consistent CVE number , a nod to industry standard practice. But if Oracle disclosed more information about the vulnerabilities, customers could better decide how relevant they are to their own business, he said.

"Oracle is saying, 'Here's a patch: Apply it, that's your only choice.' There's not enough information about workarounds," he said. "I believe people should have other choices. That information is missing from this announcement."

Still, Shulman added that anyone with a Web-facing application needs to take security seriously.

"People should be aware that these software packages need to be taken care of," he said.